just to be really precise:
2) that would work as well but the ACE for everyone is redundant.
... as long as there is no allow ACE present in the hierarchy. starting with the minimal set of ACE is in any case preferable. if you have an allow for everyone on the root node you may consider removing it or change the configuration such that it's not created. regards angela